Vulnerable APIs And Bot Attacks Costing Asia Pacific & Japan Businesses Up To $16.6 Billion Annually

Thales, the cybersecurity leader that protects critical applications, APIs, and data, anywhere at scale, releases the “Economic Impact of API and Bot Attacks” report. The analysis of more than 161,000 unique cybersecurity incidents and uncovers the rising global costs of vulnerable or insecure APIs and automated abuse by bots, two security threats that are increasingly interconnected and prevalent. The report estimates that API insecurity and bot attacks result in up to $186 billion of losses for businesses around the world. The annual losses in Asia Pacific and Japan (APJ) alone are up to $16.6 billion.

The report is based on a study conducted by the Marsh McLennan Cyber Risk Intelligence Center which found that larger organisations were statistically more likely to have a higher percentage of security incidents that involved both insecure APIs and bot attacks. Enterprises with revenues of more than $1 billion were 2-3x more likely to experience automated API abuse by bots than small or mid-size businesses. The study suggests that large companies are particularly vulnerable to security risks associated with automated API abuse by bots, because of complex and widespread API ecosystems that often contain exposed or insecure APIs.

Enterprises rely heavily on APIs to enable seamless communication between diverse applications and services. Data from the Imperva Threat Research team finds that the average enterprise managed 613 API endpoints in production last year. That number is growing rapidly as businesses face mounting pressure to deliver digital services with greater agility and efficiency.

Due to this increased reliance and their direct access to sensitive data, APIs have become attractive targets for bot operators. In 2023, automated threats accounted for 30% of all API attacks globally, according to data from Imperva Threat Research. Today, automated API abuse by bots costs organisations up to $17.9 billion in losses annually. As the number of APIs in production multiplies, cybercriminals will increasingly use automated bots to find and exploit API business logic, circumvent security measures, and exfiltrate sensitive data.

“It’s imperative that businesses across the world address the security risks posed by insecure APIs and bot attacks, or they face a substantial economic burden,” says Nanhi Singh, General Manager of Application Security at Imperva, a Thales company. “The interconnected nature of these threats necessitates that companies take a holistic approach, integrating comprehensive security strategies for both bot and API attacks.”

Key Trends identified in The Economic Impact of API and Bot Attacks report:

• Increased API adoption and usage is growing the attack surface: The rapid adoption of APIs, inexperience of many API developers, and lack of collaboration between security and development teams have led insecure APIs to now result in up to $4.6 billion of losses in APJ
• Bots negatively impact organisations’ bottom line: The widespread availability of attack tools and generative AI models has enhanced bot evasion techniques and enabled even low-skilled attackers to launch sophisticated bot attacks. Up to $12.8 billion of losses in APJ annually can be attributed to automated attacks by
• API and bot-related security incidents are becoming more frequent: In 2022, API- related security incidents rose by 40%, and bot-related security incidents spiked by 88%. These increases were fueled by a rise in digital transactions, the expanding use of APIs, and geopolitical tensions like the Russia-Ukraine conflict. In the following year, as digital traffic began to stabilise and the pandemic-driven surge in internet activity subsided, the frequency of these incidents API-related security incidents grew by 9%, while bot-related security incidents jumped by 28%. Although less than a fifth (17.7%) of global incidences attributed to API and bot-related security incidents occurred in APJ, up to 14% of them (the highest percentage globally) were API-related, and up to 24% of them were bot-related (APJ is the second highest region globally, after Africa). The overall upward trend in attacks highlights the growing persistence and frequency of these threats.
• Insecure APIs and bot attacks pose a significant threat to large enterprises: Companies with revenue of at least $100 billion are most likely to suffer security incidents related to insecure APIs or bot These threats constitute up to 26% of all security incidents experienced by such businesses.
• Countries around the globe are vulnerable to API and bot attacks: Brazil experienced the highest percentage of events related to insecure APIs or bot attacks, with the threats accounting for up to 32% of all observed security incidents. This was closely followed by France (up to 28%) and three markets in APJ – Japan (up to 28%), India (up to 26%) and Australia (up to 23%).

“Reliance on APIs will continue to grow exponentially, driving connections to generative AI applications and large language models,” adds Singh. “At the same time, generative AI will also empower cybercriminals to create sophisticated bots at an accelerated and alarming rate. As API ecosystems expand and bots become more advanced, organisations should anticipate a significant rise in the economic impact of automated API abuse by bots unless proactive measures are taken.”